From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FnHb3-0004bb-R6 for garchives@archives.gentoo.org; Mon, 05 Jun 2006 16:06:30 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k55G3oi6018243; Mon, 5 Jun 2006 16:03:50 GMT Received: from smtp2.iway.na (smtp2.iway.na [196.44.136.4]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k55FnV9L022456 for ; Mon, 5 Jun 2006 15:49:34 GMT Received: from vscan.iway.na ([196.44.136.13]) by smtp2.iway.na (Netscape Messaging Server 4.15) with ESMTP id J0E9A201.S16 for ; Mon, 5 Jun 2006 16:49:14 +0100 Received: from mx2.iway.na (localhost [127.0.0.1]) by vscan.iway.na (Postfix) with ESMTP id 704EC2BFF9 for ; Mon, 5 Jun 2006 16:49:22 +0100 (WAT) Received: from uwix.alt.na ([196.44.156.92]) by mx2.iway.na (Netscape Messaging Server 4.15) with ESMTP id J0E9AA00.Y0E for ; Mon, 5 Jun 2006 16:49:22 +0100 Received: from uwe by uwix.alt.na with local (Exim 4.61) (envelope-from ) id 1FnH2a-0001Wc-D6 for gentoo-user@lists.gentoo.org; Mon, 05 Jun 2006 16:30:52 +0100 From: Uwe Thiem Organization: SysEx (Pty) Ltd. To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] SSH authentication attempts - serious issue Date: Mon, 5 Jun 2006 16:30:52 +0100 User-Agent: KMail/1.9.1 References: <5bc4c4570606050806w6497ae95x6164274b3cc33b3e@mail.gmail.com> In-Reply-To: <5bc4c4570606050806w6497ae95x6164274b3cc33b3e@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200606051630.52305.uwix@iway.na> Sender: Uwe Thiem X-Archives-Salt: e28d63c6-ddde-461f-8dfc-99806958ded2 X-Archives-Hash: 214754452ac384800540a1b104d4ac0b On 05 June 2006 16:06, Leandro Melo de Sales wrote: > Hi, > > today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... > > this seems to be a brute force attack, but one thing that worried me > is why sshd didn't disconnect the remote host after 3 unsuccessful > attemps? If we see in the log, there are many attemps with time > interval between attemps of 2 or 3 seconds meaning that the sshd > didn't disconnect the remote host after 3 attempts. > So, first, Am I thinking correct about the sshd attempts? > Second, how can I setup sshd or the entire system to permit just 2 or > 3 attempts of authentication? I was checking the /etc/login.defs file > and I see the following option: > > # > # Max number of login retries if password is bad > # > LOGIN_RETRIES 3 > > but why this didn't work for the above connection attempts? Because it wasn't a bad password. It never got to that stage. ;-) Uwe -- Mark Twain: I rather decline two drinks than a German adjective. -- gentoo-user@gentoo.org mailing list